Health Insurance Portability and Accountability Act. Policies and Procedures Compliance Manual. Human Resources. Ferris State University

Transcription

1 Health Insurance Portability and Accountability Act Policies and Procedures Compliance Manual Human Resources Ferris State University

2 Introduction to Ferris State University s HIPAA Privacy Policies and Procedures Privacy regulations under HIPAA the Health Insurance Portability and Accountability Act of 1996 require Ferris State University ( FSU ) to protect the privacy of individually identifiable health information of participants in FSU s health plans (the Health Plan ). This information is known as protected health information, or PHI for short. FSU s policy is to fully comply with HIPAA s privacy requirements (the Privacy Rules ). All members of FSU s workforce who use or have access to PHI must comply with the policies and procedures set forth herein ( Policies and Procedures ). Failure to comply will result in disciplinary action as set forth in FSU s employment handbook. For purposes of these Policies and Procedures, FSU s workforce includes employees, volunteers, trainees, and other persons whose work performance is under the direct control of FSU, whether or not they are paid by FSU. FSU does not intend to create any third party rights (including rights of Health Plan participants, beneficiaries, covered dependents or outside service providers) by adopting these Policies and Procedures. FSU may amend or change these Policies and Procedures at any time, even retroactively, without notice. FSU intends that these Policies and Procedures implement HIPAA s Privacy Rules and will interpret them consistent with the regulations promulgated under HIPAA. To the extent that these Policies and Procedures establish requirements and obligations beyond those required by HIPAA, they are aspirational and not binding upon FSU. These Policies and Procedures do not address requirements under other federal, state, or local laws. 2

3 Table of Contents I. Important Definitions and Concepts Used in These Policies and Procedures... 1 PHI (Protected Health Information)... 1 Minimum Necessary... 1 Workforce/Employee... 2 Designated Record Set... 2 Covered Entity... 2 Use... 2 Disclosure... 2 Business Associate... 2 De-identified Information... 3 Payment... 3 Health Care Operations... 4 II. Health Plan s Responsibilities as a Covered Entity... 4 A. Privacy Officer and Contact Person... 4 B. Workforce Training... 5 C. Safeguards... 5 Administration Safeguards... 5 Technical Safeguards... 6 Physical Safeguards... 6 D. Complaints... 7 E. Discipline... 8 Type of Discipline... 8 Whistleblowers... 8 Crime Victims... 8 F. No Intimidating or Retaliatory Acts... 8 G. No Waiver of Rights... 9 Limited Exception for the Health Plan s Eligibility or Enrollment Determinations... 9 H. Notice of Privacy Practices... 9 Creating the Notice... 9 Contents of the Notice... 9 Delivering the Notice... 9 Posting the Notice on FSU s Web Site Electronic Delivery of Notice of Privacy Practices Revisions to the Notice III. Procedures for Uses and Disclosures of PHI A. Who Must Comply with these Policies and Procedures B. Limitations on Access to PHI C. Permitted Uses and Disclosures of PHI for Payment and Health Care Operations Uses and Disclosures for the Health Plan s Own Payment Activities or Health Care Operations Disclosures for Another Covered Entity s Payment Activities Disclosures for Certain Health Care Operations of the Receiving Covered Entity

4 Uses and Disclosures for Plans or Programs Other than the Health Plans Questions about Uses and Disclosures for Payment and Health Care Operations Use of Genetic Information D. Mandatory Disclosures of PHI to Individuals and HHS Requests from the Individual Request from the Department of Health and Human Services (HHS) E. Permitted Uses and Disclosures of PHI for Legal and Public Policy Purposes.. 15 F. Use of PHI for Marketing Definition Exceptions G. Sale of PHI Definition Exceptions H. Uses and Disclosures of PHI With an Individual s Authorization Valid Authorizations Core Elements Required Statements Providing a Copy of the Authorization to the Individual Revoking an Authorization Documentation Required I. Uses and Disclosures of PHI by Business Associates Business Associate Agreements Uses and Disclosure of PHI by Business Associates Unauthorized Uses and Disclosures of PHI by Business Associates J. Requests for Disclosure of PHI from Spouses, Family Members, and Friends.. 22 Information About Deceased Individuals Emergency Disclosure of Information K. Uses and Disclosures of De-Identified Information L. Verifying the Identity of Those Requesting PHI Request by the Individual Who Is the Subject of the PHI Request by a Parent of Minor Child Request subject to an Authorizaton Request by a Personal Representative Request by a Public Official M. Documentation and Record Retention Requirements Documenting the Policies and Procedures Notice of Privacy Practices Documenting Disclosures of PHI for Purposes of Responding to Requests for an Accounting Uses and Disclosures that Must Be Documented Uses and Disclosures that Need Not Be Documented Documenting Authorizations and Individual Rights Documenting Training Documenting Complaints Documenting Disciplinary Action Documenting Mitigation Efforts Documenting Business Associate Agreements

5 Documenting Breach Notifications N. Mitigation of Inadvertent Disclosures of PHI Generally Breach Notification Requirements A. Breach Notification Team B. Determining whether a breach has occurred C. Special Considerations for Breaches Involving Business Associates (Or for Business Associates Subcontractors) D. Notification Notice to Individuals Notice to the Media Notice to the Department of Health & Human Services IV. Procedures for Complying with Individual Rights A. Individual s Request to Inspect and Copy Requests that Are Denied Requests that Are Granted Providing a Summary Charging Reasonable Fees B. Individual s Request for Amendment Requests that Are Granted Requests that Are Denied C. Individual s Request for an Accounting of Disclosures of PHI D. Individual s Request for Confidential Communications E. Individual s Request for Restrictions on Uses and Disclosures of PHI V. Procedures for Complying with the Minimum Necessary Standard A. Determining the Minimum Necessary- Use and Disclosure Criteria B. Routine and Non-routine Uses and Disclosures of PHI C. Routine and Non-routine Requests D. Exceptions to the Minimum Necessary Standard

6 PRIVACY POLICIES AND PROCEDURES I. Important Definitions and Concepts Used in These Policies and Procedures These Policies and Procedures use a number of important terms and concepts in describing FSU s obligations under the Privacy Rules. All definitions in the Privacy Rules are hereby incorporated by reference into these Policies and Procedures. If a term is not defined in the Privacy Rules, the term shall have its generally accepted meaning. Several of the key terms and concepts from the Privacy Rules are: PHI (Protected Health Information): PHI is individually identifiable health information about an individual that relates to the past, present or future physical or mental health or condition of the individual. PHI includes not only information about health care treatment that individuals receive, but also information about whether they are covered by the Health Plan, what their Health Plan payments are, and who else in their family is covered. If the information identifies the person, or can be used to identify the person, then it is PHI. To qualify as PHI, the information must be related to the Health Plan. PHI does not include enrollment information found in FSU s employment records (whether held by FSU or its enrollment administrator). Enrollment information is defined under HIPAA Transaction standards, but is generally information such as name, address, social security number, elected coverage and cost of coverage. However, enrollment information will be considered PHI when it is in the hands of the Health Plan s third party administrators and in FSU s health plan records. PHI includes information in written, oral, or electronic form. It includes information that you obtain as a result of working with the Health Plan. PHI must be kept confidential. You should not discuss it with anyone, except as necessary to perform your duties related to the Health Plan. Information about an individual is no longer considered PHI once the individual has been deceased for more than 50 years. Therefore, FSU is not obligated to apply these Policies and Procedures to Health Plan information about an individual who has been deceased for more than 50 years. Limited Data Set: A Limited Data Set is PHI that has had most identifiers of the individual, or of relatives, employers, or household members removed from it. A Limited Data Set is similar to De-identified Information (see below), except that a Limited Data Set may include city, state and zip code information and any dates related to an individual. Limited Data Set is further defined at 45 C.F.R (e). Minimum Necessary: The Privacy Rules require that when PHI is used or disclosed, you must make reasonable efforts to limit the use or disclosure to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request. For example, if someone asks for an individual s Health Plan records in order to perform a function on behalf of the Health Plan, but the records include more information than is really needed for that particular function, 1

7 you should disclose only the information needed (and not the entire record). (See Section V, Procedures for Complying with the Minimum Necessary Standard.) Workforce/Employee: FSU s workforce means any individual who works directly under the control of FSU, whether or not they are paid by FSU. This includes not only employees, but also volunteers, trainees, interns/externs, workers employed by a temporary agency, and independent contractors. Whenever the Policies and Procedures discuss FSU s obligation to protect PHI, the discussion is intended to include anyone who is a member of FSU s workforce. The term employee when used in the Policies and Procedures means any member of FSU s workforce. Designated Record Set: Designated record set means the enrollment, payment, claims adjudication and other records that are maintained by the Health Plan. It includes records that are maintained on behalf of the Health Plan, such as by a third party administrator or some other outside company that performs services for the Health Plan. It also includes records that may be used, in whole or in part, by or for the Health Plan to make decisions about an individual. For purposes of this definition, record means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for the Health Plan. Covered Entity: Covered Entity means an individual or entity that is subject to the Privacy Rules. Covered Entity includes a health plan, health care clearinghouse, and health care provider who transmits any health information in electronic form in connection with a transaction covered by the Standards for Electronic Transactions (45 CFR et seq.) Use: Use of PHI means the sharing, employment, application, utilization, examination or analysis of individually identifiable health information by any person working for, in connection with, or within FSU s human resources department, or by a business associate (as defined below) of the Health Plan. Disclosure: Disclosure of PHI means the release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within FSU s human resources department. Business Associate: A business associate is a person (other than a member of FSU s workforce) or entity that creates, receives, maintains or transmits PHI on behalf of the Health Plan. A business associate arranges, performs or assists in the performance of functions or activities for the Health Plan that involve PHI. Such functions include: claims processing or administration data analysis, storage, processing or administration utilization review quality assurance billing 2

8 benefit management re-pricing any other function or activity regulated by HIPAA A business associate also includes a person (other than a member of FSU s workforce) or entity that provides the following types of services, if the services involve the disclosure of PHI: legal actuarial accounting consulting data aggregation management administration accreditation financial services De-identified Information: Information qualifies as de-identified information only if it does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. PHI can become de-identified in two ways: professional statistical analysis has determined that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; or 18 defined identifiers of the individual or of relatives, employers, or household members of the individual are removed Payment: Payment means activities undertaken to obtain Health Plan premiums or to determine or fulfill the Health Plan s responsibility for coverage and provision of benefits, or to obtain or provide reimbursement for the provision of health care. Payment includes: determinations of eligibility or coverage, including coordination of benefits or the determination of cost sharing amounts adjudication or subrogation of health benefit claims 3

9 risk adjusting amounts due based on enrollee health status and demographic characteristics billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing review of health care services for purposes of determining coverage Health Care Operations: Health care operations means any of the following activities to the extent that they are related to Health Plan administration: evaluating Health Plan performance underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance) conducting quality assessment and improvement activities conducting or arranging for medical review, legal services, and auditing functions business planning and development business management and general administration activities II. Health Plan s Responsibilities as a Covered Entity A. Privacy Officer and Contact Person The Privacy Rules require FSU to appoint a privacy official ( Privacy Officer ) who is responsible for developing and implementing privacy policies and procedures. The Privacy Rules also require FSU to appoint a contact person or office who is responsible for receiving complaints of privacy violations and who can provide more information about the Notice of Privacy Practices that FSU is required to send to all participants in the Health Plan. FSU has established the following administrative structure designed to comply with these requirements: the Privacy Officer, who has overall responsibility for the privacy and security of PHI. The Privacy Officer is the Associate Vice President for Human Resources, and may be reached at 231/

10 B. Workforce Training The Privacy Rules require FSU to train all individuals who are members of the Health Plan s workforce. FSU s policy is that all members of its workforce involved in the administration of its Health Plan or who otherwise need access to PHI will be trained as necessary and appropriate for them to carry out their functions. For purposes of these Policies and Procedures, FSU s workforce includes employees, volunteers, trainees, interns/externs, workers employed by a temporary agency, independent contractors, and any other persons whose work performance is under the direct control of FSU, whether or not they are paid by FSU. The Privacy Officer is responsible for developing training schedules and programs so that all appropriate workforce members receive the training necessary and appropriate for them to carry out their functions for the Health Plan. Newly-hired employees will be trained before they are given access to PHI, or as soon as possible thereafter. All training will be documented as set forth in the Privacy Rules documentation requirements. (see section III.M, Documentation and Record Retention Requirements ). C. Safeguards The Privacy Rules require FSU to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. FSU s policy is to maintain appropriate safeguards as required by the Privacy Rules. Administrative Safeguards. FSU s Policies and Procedures include numerous administrative safeguards to protect the privacy of PHI. These administration safeguards include: appointment of the Privacy Officer to implement and oversee compliance with the Policies and Procedures distribution of a Notice of Privacy Practices to all Health Plan participants training of workforce members regarding the Policies and Procedures creation of administration firewalls between FSU s Health Plan functions and its employment functions establishment of a system to administer individual rights under the Health Plan (e.g., right to request additional privacy protection for PHI, right to inspect and copy PHI, right to request correction of PHI, right to notice of disclosures made by the Health Plan, and right to request confidential communication) 5

11 establishment of a complaint system for individuals to use if they believe a privacy violation has occurred Technical Safeguards. FSU has adopted the following technical safeguards to protect the privacy of PHI on its computer systems: restriction of access to PHI on its computer systems to individuals who need access to PHI in order to perform their duties use of passwords to authenticate an individual s right to access PHI creation of computer firewalls around PHI to protect it from unauthorized access by others within FSU or outside of FSU changing of computer passwords on a routine basis Physical Safeguards. FSU has adopted the following physical safeguards to protect the privacy of PHI: paper files containing PHI are kept in locked file cabinets only employees with responsibility for the Health Plan have access to Health Plan records; employees who do not have Health Plan responsibilities are not given access to Health Plan records portable media (such as diskettes, CDs, and computer tapes) are stored in secure locations where access is limited to authorized personnel main frame systems and servers storing PHI are kept in rooms with restricted access Health Plan records are kept separate from employment records Electronic Health Plan information is accessible only by employees with responsibility for the Health Plan who need access to such information. This includes electronic health information maintained internally (e.g., FSU information systems) and externally (e.g., third party administrator websites) reasonable precautions are taken to ensure that Health Plan records are not left out in the open or unattended Health Plan information is used only for Health Plan purposes; it is not shared for making employment decisions (hiring, firing, promotions, etc.) or for administering any non-health plan programs (e.g., workers' compensation, FMLA, disability, employee recognitions, etc.) 6

12 FSU has made modifications to the physical layout of Human Resources with restricted access during and after business hours. D. Complaints The Privacy Rules require FSU to implement a process by which individuals may file complaints about privacy violations. FSU s policy is that anyone who believes that the Policies and Procedures or the Privacy Rules have been violated at FSU may submit a written complaint to the Privacy Officer. An individual who wishes to file a complaint should request from the Privacy Officer the Individual Complaint Form. Upon receiving a completed complaint form, the Privacy Officer will do the following: review the Policies and Procedures or Privacy Rules at issue obtain any additional information from the individual necessary to understand the nature and basis of the complaint investigate the conduct that is the subject of the complaint, which may include interviewing members of the workforce and business associates, and reviewing records in the individual s designated record set if appropriate, consult with legal counsel or other appropriate resources for evaluating the complaint decide how the complaint will be handled and then take appropriate action, which may include: o actions necessary to minimize any harmful effects from the unauthorized use or disclosure o disciplinary action against employees in accordance with FSU s disciplinary policies (see section II.E, Discipline ) o appropriate actions with respect to business associates in accordance with the relevant business associate agreement (see section III.I, Uses and Disclosures of PHI by Business Associates ) o modification of the Policies and Procedures, if necessary o no action, if it is determined that there has been no violation of the Policies and Procedures or the Privacy Rules communicate to the individual, in writing and on a timely basis, the final outcome of the complaint investigation 7

13 retain documentation of the complaint and its disposition as required by the Privacy Rules documentation requirements (see section III.M, Documentation and Record Retention Requirements ) complete the Complaint Tracking Form E. Discipline The Privacy Rules require FSU to have and apply appropriate discipline to employees who fail to comply with the Policies and Procedures or the Privacy Rules. FSU s policy is to appropriately discipline any employee who violates the Policies and Procedures or the Privacy Rules. Type of Discipline. FSU will appropriately discipline employees who fail to comply with the Policies and Procedures or the Privacy Rules, in accordance with the disciplinary policies set forth in FSU s employee handbook, FSU s policies and procedures, and Collective Bargaining Agreements. Discipline will vary depending on the nature of the employee s misconduct, but discipline includes sanctions up to and including termination of employment. Whistleblowers. FSU will not discipline employees who disclose PHI, so long as: the employee believes in good faith that the Health Plan or FSU has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the Health Plan or FSU potentially endangers one or more patients, workers, or the public; and the disclosure was made to the individuals or agencies and for the purposes set forth in the whistleblower provisions of the Privacy Rules (see section (j) of the Privacy Rules) Crime Victims. FSU will not discipline an employee who is a crime victim and discloses PHI to a law enforcement official, so long as the PHI concerns the suspected perpetrator of the criminal act and the PHI is limited as required by the Privacy Rules (see 45 CFR (j)). F. No Intimidating or Retaliatory Acts The Privacy Rules prohibit FSU from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against individuals for exercising their rights under the Privacy Rules. FSU s policy is that FSU will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their privacy rights, filing a complaint, participating in an investigation, or opposing any improper practice under the Privacy Rules. 8

14 G. No Waiver of Rights The Privacy Rules prohibit FSU from requiring individuals to waive their individual rights under the Privacy Rules. FSU s policy is that individuals shall not be required to waive their rights under the Privacy Rules as a condition of treatment, payment, enrollment in the Health Plan, or eligibility for benefits. Limited Exception for the Health Plan s Eligibility or Enrollment Determinations. FSU may condition enrollment in the Health Plan or eligibility for benefits on provision of an authorization requested by the Health Plan prior to an individual s enrollment in the Health Plan if (1) the authorization is sought for the Health Plan s eligibility or enrollment determination relating to the individual or for its underwriting or risk rating determinations; and (2) the authorization is not for a use or disclosure of psychotherapy notes. H. Notice of Privacy Practices The Privacy Rules require FSU to provide participants in the Health Plan with a notice describing (1) how the Health Plan may use and disclose their PHI; (2) individuals rights under the Privacy Rules; and (3) the Health Plan s legal duties with respect to PHI. FSU s policy is to create and distribute such a notice ( Notice of Privacy Practices or Notice ) as required by the Privacy Rules. Creating the Notice. The Privacy Officer is responsible for developing and maintaining the Health Plan s Notice. The Privacy Officer also must ensure that the Notice complies with the requirements set forth in the Privacy Rules and that a copy of the Notice is maintained in accordance with the Documentation and Retention Requirements (see section III.M, Documentation and Record Retention Requirements ). Contents of the Notice. The Notice of Privacy Practices shall describe: the uses and disclosures of PHI that may be made by the Health Plan the individual s rights the Health Plan s legal duties with respect to PHI Delivering the Notice. The Privacy Officer will ensure that that Notice is delivered to participants in the Health Plan as follows: to each new enrollee in the Health Plan at the time of the individual s enrollment If there is a material revision to the Notice: o if FSU posts its Notice of Privacy Practices on its web site and makes the notice electronically available, FSU will prominently 9

15 post the change or the revised Notice of Privacy Practices on its web site by the effective date of the material change to the Notice of Privacy Practices, and provide the revised Notice of Privacy Practices, or information about the material change and how to obtain the revised Notice in its next annual mailing to individuals covered by the Health Plan o If FSU does not post its Notice of Privacy Practices on its website, FSU must provide the revised Notice of Privacy Practices, or information about the material change and how to obtain the revised Notice of Privacy Practices to individuals covered by the Health Plan within 60 days of any material revision to the Notice to individuals who are then covered by the Health Plan (unless HIPAA regulations allow for an alternative distribution schedule) At least once every three years, the FSU will inform all participants then covered by the Health Plan that the Notice is available and how they can obtain a copy. FSU will also provide a copy of the Notice to any individual upon request. Posting the Notice on FSU s Web Site. FSU maintains a web site that provides information about customer services or benefits (including an intranet site with information on employee benefits, the Health Plan, etc.), FSU must prominently post the Notice on the web site and make the Notice available electronically through the web site. Electronic Delivery of Notice of Privacy Practices. The following rules apply to provision of the Notice of Privacy Practices by If an individual agrees, the Notice of Privacy Practices may be delivered electronically by . An individual may withdraw permission to receive the Notice of Privacy Practices by at any time. If FSU knows that an transmission to an individual has failed, FSU must provide a paper copy of the Notice of Privacy Practices to the individual. Revisions to the Notice. FSU will revise the Notice whenever there is a change in law that requires a material revision to the Policies and Procedures, or whenever FSU elects to make a material revision to the Policies and Procedures. When this occurs, FSU will redistribute the Notice to Health Plan participants. III. Procedures for Uses and Disclosures of PHI A. Who Must Comply with These Policies and Procedures 10

16 All members of FSU s workforce must comply with the Policies and Procedures. However, only members of FSU s workforce who assist in administering the Health Plan have access to PHI. B. Limitations on Access to PHI FSU limits access to PHI to employees with certain job functions ( Authorized Employees ). These Authorized Employees either perform functions directly on behalf of the Health Plan, or they access PHI on behalf of FSU for its use in administering the Health Plan. Authorized Employees are: Privacy Officer Director, Human Resources Benefits Manager Benefits Specialist HRIS Coordinator Administrative Assistant, Human Resources Others authorized or designated by the Associate Vice President for Human Resources These Authorized Employees may use and disclose PHI to perform or support Health Plan administration functions, and they may disclose PHI to other Authorized Employees who perform or support Health Plan administration functions. Such uses and disclosures, however, must be limited to the minimum necessary to perform or support Health Plan administration functions. Routine uses and disclosures must be made in accordance with departmental procedures (see section V.E., Departmental Minimum Necessary Policies and Procedures ). Non-routine uses and disclosures must be approved by the Privacy Officer. Authorized Employees may not disclose PHI to employees not identified in this section, except in accordance with these Policies and Procedures. C. Permitted Uses and Disclosures of PHI for Payment and Health Care Operations Although uses and disclosures of PHI are generally prohibited without an authorization, the Privacy Rules permit certain types of uses and disclosures for payment and health care operations without an authorization. FSU s policy is to disclose PHI for payment and health care operations as permitted in the Privacy Rules. Uses and Disclosures for the Health Plan s Own Payment Activities or Health Care Operations. FSU may use and disclose an individual s PHI to perform the Health 11

17 Plan s own payment activities or health care operations. As permitted under the Privacy Rules, including, but not limited to the following activities: determining Health Plan benefits and eligibility for benefits paying claims and providing benefits enrollment and disenrollment in benefit programs obtaining premium bids and quotes for administrative services, and other activities related to placement, renewal or replacement of a contract of health insurance or for administration of health benefits (including stoploss and excess loss insurance) determining costs of self-insured benefits and employee contribution amounts coordinating benefits with other plans and coverages final adjudication of appeals on claims appeals exercise of the Health Plan s rights of recovery, reimbursement, and subrogation obtaining employee contributions assisting participants and beneficiaries with questions relating to eligibility, benefits, appeals and other inquiries relating to the Health Plan evaluating plan performance and making recommendations to Amway on Health Plan design issues engaging in quality assessment activities complying with laws that apply to the Health Plan, such as ERISA, COBRA, Medicare Secondary Payer rules, etc. obtaining legal services relating to the administration of the Health Plan performing auditing functions, including programs to detect fraud and abuse engaging in cost-management activities making claims under stop-loss or excess loss insurance 12

18 engaging in business planning, management and other general administration of the Health Plan conducting activities in connection with the transfer, merger or consolidation of the Health Plan, including due diligence. In doing so, FSU must follow these procedures: Routine Uses and Disclosures. Routine payment and health care operations may be performed without approval of the Privacy Officer. o in performing these routine functions, FSU must follow its departmental policies and procedures (see section V.E., Department Minimum Necessary Policies and Procedures ). o each such use or disclosure must be limited to the minimum necessary to achieve the purpose of the disclosure (see section V, Procedures for Complying with the Minimum Necessary Standard ) Non-routine Uses and Disclosures. Non-routine uses or disclosures must be approved by the Privacy Officer, who will approve a non-routine use or disclosure only after considering FSU s use and disclosure criteria (see section V) Disclosures for Another Covered Entity s Payment Activities. FSU may disclose an individual s PHI to another covered entity or health care provider so that the other covered entity or health care provider may perform payment activities. Such disclosures must be made in accordance with the following: Routine Disclosures. Routine disclosures may be performed without approval of the Privacy Officer Non-routine Disclosures. Non-routine disclosures must be approved by the Privacy Officer, who will approve a non-routine disclosure only after consideration of FSU s disclosure criteria (see section V) Disclosures for Certain Health Care Operations of the Receiving Covered Entity. FSU may disclose PHI for purposes of another covered entity s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the individual and the PHI requested pertains to that relationship the disclosure complies with the minimum necessary standard (see section V) 13

19 the disclosure is approved by FSU s Privacy Officer, who will approve the disclosure only after consideration of FSU s disclosure criteria (see section V) Uses and Disclosures for Plans or Programs Other than the Health Plans. Unless an individual who is the subject of the PHI has provided an authorization, FSU may not use or disclose the individual s PHI for the payment or administration of FSU s plans or programs other than the Health Plan (e.g., disability, worker s compensation, life insurance, etc.). If FSU needs an individual s PHI for the payment or administration of FSU plans or programs other than the Health Plan, the following procedures must be followed: obtain an authorization from the individual o contact the Privacy Officer to determine whether an authorization for this type of use or disclosure is already on file. The authorization must allow the particular use or disclosure at issue o if no authorization is on file, request the Individual Authorization Form from the Privacy Officer. Because the Privacy Rules require authorizations to meet specific content requirements, FSU shall use the Individual Authorization Form unless the Privacy Officer specifically approves otherwise the Privacy Officer must approve the use or disclosure after considering FSU s use and disclosure criteria (see section V) the use or disclosure must comply with the minimum necessary standard (see section V) Questions about Uses and Disclosures for Payment and Health Care Operations. Any FSU employee who is unsure as to whether a particular task that involves use or disclosure of PHI qualifies as a payment activity or health care operation of the Health Plan must contact the Privacy Officer. Use of Genetic Information. FSU will not use any genetic information, including family medical history, to conduct any eligibility determinations or other underwriting activities. This includes the computation of premiums or contribution amounts under the Health Plan. D. Mandatory Disclosures of PHI to Individuals and HHS The Privacy Rules require FSU to disclose an individual s PHI when requested by the individual or, under certain circumstances, by the Department of Health and Human Services. FSU s policy is to cooperate with these requests and to disclose the PHI in accordance with the Privacy Rules. 14

20 Requests from the Individual. An individual (or the individual s personal representative) may request a disclosure of his or her own PHI. FSU will respond to such requests by following the procedures under Individual s Request to Inspect and Copy (see section IV.A). Request from the Department of Health and Human Services (HHS). FSU will respond to a request from an HHS official for disclosure of PHI as follows: verify the identity of the HHS official using the procedures set forth in the section entitled Verifying the Identity of Those Requesting PHI (see section III.L) document the disclosure as required under the Privacy Rules documentation requirements (see section III.M, Documentation Requirements ) E. Permitted Uses and Disclosures of PHI for Legal and Public Policy Purposes From time to time, FSU may receive requests from courts, parties to litigation, law enforcement officials, public health authorities, or various other government agencies or officials to use or disclose an individual s PHI. The Privacy Rules set forth guidelines under which FSU may use or disclose PHI in such circumstances. FSU s policy is that FSU may respond to such a request only if the use or disclosure meets the following conditions: FSU s Privacy Officer approves the use or disclosure after consultation with legal counsel the disclosure complies with the minimum necessary standard or is specifically exempted from the minimum necessary standard (see section V, Procedures for Complying with the Minimum Necessary Standard ) the disclosure falls within one of the following categories, and the specific requirements set forth in the Privacy Rules have been followed (see section of the Privacy Rules): o in response to an order of a court or an administrative tribunal o in response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal, provided that there is an appropriate protective order in place and, where medical records are involved, the individual has waived his or her physician-patient privilege o pursuant to process (such as a court-ordered warrant or an administrative summons) and as otherwise required by law o to a law enforcement official (1) about an individual who has died; (2) for identification and location purposes; (3) about an individual 15